WO2010123565A1 - System and method for protecting against malware utilizing key loggers - Google Patents

System and method for protecting against malware utilizing key loggers Download PDF

Info

Publication number
WO2010123565A1
WO2010123565A1 PCT/US2010/001199 US2010001199W WO2010123565A1 WO 2010123565 A1 WO2010123565 A1 WO 2010123565A1 US 2010001199 W US2010001199 W US 2010001199W WO 2010123565 A1 WO2010123565 A1 WO 2010123565A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
software
software program
program according
browser
Prior art date
Application number
PCT/US2010/001199
Other languages
French (fr)
Inventor
Lloyd Liske
Original Assignee
Trusted Knight Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
Priority to US12/427,833 priority Critical
Priority to US12/427,833 priority patent/US8316445B2/en
Application filed by Trusted Knight Corporation filed Critical Trusted Knight Corporation
Publication of WO2010123565A1 publication Critical patent/WO2010123565A1/en
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=41216305&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=WO2010123565(A1) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine

Abstract

A software, system and methodology for protecting against malware key logger attacks that utilize, for example, form-grabbing techniques. The application protects the browser from key logging malware attacks, and the loss of critical user confidential information often entered into internet forms for the purpose of buying items or logging into financial institutions. An embodiment of a method for blocking form-grabbing attacks including the following steps. Upon detecting a form submission event from the browser, and immediately after allowing the data to be properly submitted, the form input fields are cleared of data. The method prevents hook-based key loggers or form-grabbing key loggers from capturing form input data, thereby protecting the user from theft of passwords or credentials.

Description

System and Method for Protecting Against Malware Utilizing Key Loggers

This application claims the benefit of U.S. Provisional Patent Applications Serial No. 61/125,178 filed on April 23, 2008, the entire disclosures of which are incorporated herein by reference.

FIELD OF THE INVENTION

Figure imgf000002_0001

The present invention relates to systems and methods for protection against the operation of malware commonly used in identify-theft and cyber-fraud. In particular, but not by way of limitation, the present invention relates to systems and methods for preventing key logger malware that utilizes form grabbing techniques to steal financial and identity information from users' browsers.

RELATED ART

Identity Theft and Criminal Malware Targeting Browsers

Personal computers and business computers arc widely infected with malicious software that intercepts and steals critical personal and financial information as it is being called by the user's browser. Almost all online commerce and activity originates from a user electing to open an internet browser to conduct business, either with his or her bank, brokerage, investment manager, or with numerous online stores. Because of the massive growth in online commerce, and the requirement and use of credit cards and personal data to facilitate that market, sophisticated criminal hackers have targeted this line of commerce with ever-evolving malware. Much of the sophisticated malware is not being caught by commercial anti-virus solutions. Thus, unwitting consumers, believing they are protected, often enter the stream of online commerce not recognizing that malware can, and is, stealing their critical information. This sophisticated theft is taking place due in large part to the rise of what is called key logging malware. Key logging malware is created, often by sophisticated criminal online syndicates, to facilitate the capture of passwords, credit card data, and personal credentials, generally without the person's knowledge.

Key Logging Malware Avoids Detection

Key logging is a method of capturing keyboard input to a computer or computing device. It is a common technique for obtaining passwords and sensitive information using unauthorized software.

Software key loggers capture targeted personal data stored on the computers they infect. The software key loggers are utilized in conjunction with legitimate programs on the infected system. The malware relays the captured data to unauthorized recipients, who have planted the malware on the system by sending that data thru the internet using TCP/IP ports used by common user applications to bypass security. Software Key loggers utilize a number of techniques including hooking various operating system Application Programming Interfaces (APIs) and system drivers, screen capture, and form grabbing and hook based keystroke logging.

Another technique is hook-based key logging. Hook-based key loggers are programs that insert a system API hook into an API stack. This is done by placing a call object into the API stack, acting as a filter. When a user on his or her browser calls a website, the data are filtered thru this malware call. This allows an attacker to record all the data being passed by the system driver, such as keystrokes passing thru the operating system driver. For example, one type of hook-based key logger will monitor and record each key press that generates an Interrupt Request (IRQ) to the system driver on the motherboard. The key logger, as part of the malware, saves this data as a text file. The text file is subsequently sent to a remote location for retrieval by malefactors. Malefactors commonly deploy such malware key loggers via the internet to the computers of thousands of unsuspecting users. The volume of data generated by such hook-based key loggers is great, and can amount to many Gigabytes of data within a short period. This mass of data is cumbersome to store and difficult to search for the purpose of extracting the very small percentage of data that represents credential and password information. As a result, malefactors have fine-tuned their malware to meet these challenges and better reduce the large take of useless data stolen by their malware.

The Rise of Form-Grabbing Key Loggers

Form-grabbing key loggers insert a hook that captures the form data, and only form data inputs. The form information being stolen is, essentially, those forms used for online banking and other online commerce that require users to enter personal information, card data, passwords, reminder questions, and mother's maiden names. This perfection of the malware allows more precise targeting of stolen credentials, and it greatly increases the odds that credentials stolen will be found and used. Previous methods often resulted in so much data being siphoned out by malware that credentials of interest to financial criminals and identity thieves were buried in the sea of stolen data. This is no longer the case with form-grabbing key loggers.

Form-grabbing key loggers have become a preferred type of key logger for sophisticated cyber criminals due to (1) their resistance to detection and lack of effective countermeasures, (2) their effect of substantially reducing the volume of captured data that must be searched to extract credentials, and (3) almost all credentials used for online transactions are entered at some point into a web form. Form-grabbing key loggers have become the first choice for cyber criminals when targeting bank login data.

Form grabbers sit in between the internet browser and the called internet page. This allows an inserted browser helper object to inject or directly access the browser's API call functions. This allows all data passed to the form to be recorded as it is passed by the browser to the server to which the criminals are sending the targeted data. This method of action defeats all known anti-key loggers as they do not protect the web form or the browser window API's. As an example, when a user submits data to a legitimate banking website using web forms, a form-grabbing key logger that is monitoring the web browser can grab the submitted data by injecting a hook and hooking API functions within the browser.

Because the API hook is being protected within the system driver this does not protect the data being passed from the browser. Form grabbers deal with the browser and the data being passed over the internet. Hook-based key loggers record data as it is passed thru the API or system driver.

Form-grabbing key loggers also succeed in recording and stealing automatic form filler data as well as any data copied from another location such as data pasted from a clip board.

Methods to Detect and Stop Key-Loggers

Software is available to detect and remove many types of malware. Attempts to combat all forms of key logger malware have not been successful. Moreover, consumers falsely rely on commercial anti-virus products that are often not updated with the latest version, and even when fully updated or patched, are ineffective to address the root problem of form-grabbing key loggers.

Software is available to address some elements of software key loggers. A number of methods are available to detect and/or disable hook-based key loggers. All known methods deal with accessing the API stack directly. One method used is the unhooking of API's that insert themselves into the API stack. This method is represented by the KeyScrambler® product from QFX Software Corporation (Ormand Beach, FL) which employs an encryption- based method. According to this method, keystroke data is encrypted at the source (keyboard) and passed to a form in a decrypted format. Another variation of this method is used in the GuardID® product of StrikeForce Technologies Inc. of Edison, New Jersey that utilizes similar API hooking and key-scrambling methods but does not protect the user if the malware is inserting itself as a hook-based key logger at the first instance in the stack. Moreover, this method does not effectively protect users against grabber threats.

US 2007/0240212 attempts to counter the action of key logger malware by creating a keyboard driver and hooking into various running windows processes. In particular, it creates a keystroke unhook or bypass method. A program engine hooks windows processes and performs a monitoring action in which it looks for hooked calls. When a hooked call is detected, it injects a program and launches new processes. This method creates a false entry state and a false exit state whereby the keystroke data is passed thru these states, i.e., bypassing a keystroke logger hook, by using a separate windows keyboard driver. This method may counter hook-based key loggers but is likely to cause system instability due to the fact it injects into running window processes, a technique which is known to cause memory corruption and system failures. Moreover, a simple modification by the authors of key logger malware would allow such malwarc to identify the anti-key logger driver file and hook this process instead, thus allowing the key logger to capture the users keystrokes as they pass through that process.. This method does not protect against the action of hook-based key loggers that are programmed to insert themselves prior to the anti-key logger ("AKJL") itself hooking within the API stack, thus making it ineffective against the current generation of form grabbing key logger malware.

It is an object of the present invention to provide a solution to protect against key loggers that is not disruptive of the system and does not depend on user experience by, for example, asking the user to determine whether flagged processes or programs should be allowed to operate. The solution of the present invention does not depend on detection of malware at all. The solution of the present invention, instead, defeats the action of form-grabbing key loggers, and can likewise defeat the action of hook-based key loggers that arc capable of operating in the presence of scramblers.

It is the further object of this invention to provide a solution that is compatible with all common widely deployed browsers and without requiring a change of browsers by users.

SUMMARY OF THE INVENTION

Exemplary embodiments of the present invention that are shown in the drawings are summarized below. These and other embodiments are more fully described in the Detailed Description section. It is to be understood, however, that there is no intention to limit the invention to the forms described in this Summary of the Invention or in the Detailed Description. One skilled in the art can recognize that there are numerous modifications, equivalents and alternative constructions that fall within the spirit and scope of the invention as expressed in the embodiments.

In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the invention and embodiments thereof. Tt will be apparent, however, to one skilled in the art that the invention can be practiced without these specific details. In other instances, structures and devices are shown in block diagram form in order to aid in understanding the embodiments of the invention.

Reference in this specification to "one embodiment" or "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the invention. The appearances of the phrase "in one embodiment" in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Moreover, various features are described which may be exhibited by some embodiments and not by others. Similarly, various requirements are described which may be requirements for some embodiments but not other embodiments.

The present invention provides a system and method for managing malware. In one embodiment, a form-grabbing key logger inserts a hook Dynamic Link Library file into the system-wide hook chain, and all key messages are intercepted by the Hook DLL unless it is kicked off the chain by another program or deprived of receiving messages by its top hook DLL. In a preferred embodiment, the present invention includes an Anti-Key Logger (AKL) software program in the form of a browser helper object and a DLL file. In this embodiment, these two files act in concert, the effect of which is to act to prevent the action of this hook, thereby protecting data as it passes through its normal browser API route. The present system acts under the assumption that the user computer may already be compromised and that an undetected key logger may be in place. The present system detects attempts to place hooks, by techniques such as modification of important tables or the insertion of inline hooks.

Another embodiment of the invention, as an alternative to the DLL and Browser Helper Object (BHO) combination, is to embody the embodiment in a browser's source code. In another embodiment of the invention, software containing anti-key logger functionality can be distributed by a financial institution to thousands or millions of its customers which have online access to their accounts. This software is downloaded to each individual accountholder PC upon initiation of an online access session with the financial institution. The anti-key logger software operating on each individual PC incorporates processes enabling it to communicate with a master server appliance or hierarchy of server appliances within the financial institution in order to allow tracking of accountholder PCs that have downloaded and installed this software. After installation, upon initiation of each subsequent online access session with the financial institution the software verifies its presence on the PC and identifies itself. In the case of an accountholder that initiates an online access session (account login) from a PC which does not have the AKL installed, the financial institution can choose to deny access or require a higher level of authentication. In addition, the financial institution may recommend to the user that his or her password be changed based on the greater exposure to theft of credentials during use of a browser running on a PC that is not protected by the AKL.

Another aspect of the embodiment that uses AKL functions distributed to multiple online accountholders from a central server is the addition of blacklist, whitclist, or both blacklists and whitelists to the AKL functions. Such signature lists can include known Phishing sites which target the financial institution's accountholders or, in the case of white lists, can include newly launched sites which are used to deliver services to the institution's customers. By focusing on blacklists of sites that target the host financial institution, as opposed to incorporating broad-based blacklists, the signature list updates can be provided in small size files which do not cause noticeable waits or otherwise degrade system performance. The addition of such lists complements the effectiveness of the AKL in preventing the ability for malwarc to comprise the credentials of an online user. Moreover, the server to PC communications processes which verify the presence and identity of software in accordance with the present invention upon the initiation of each new online session can be used as an occasion to update such signature lists. This creates the opportunity to update signature lists in a more timely fashion. A timelier updating of newly identified malicious sites is a significant benefit given that the window of operation for many Phishing sites is five to twenty four hours which is shorter than the update cycle of most commercial anti-virus and anti-spyware products. Another embodiment includes a toolbar interface that allows the user to be aware of its operation. The use of such toolbars is well known in the art as these programs are commonly used to provide awareness of the operation of security monitoring functions. When a method according to the invention is incorporated into a software program containing blacklist- driven, heuristic-based, or other anti-phishing functionality, the users will be provided with graphic alerts when the browser is directed to web sites which are considered to be risky.

In an alternative embodiment, software embodying the invention can be packaged as a stand alone component to allow the product to be delivered to the client in a manner requiring minimal interaction. For example, one embodiment would utilize the component object model (COM) developed by Microsoft for Windows platforms. Software based on ActiveX technology is prevalent in the form of Internet Explorer plug-ins and, more commonly, in ActiveX controls.

In yet another embodiment of the invention, a portable device contains an installable embodiment of the invention. In this form, the invention can be used by an accountholder of a financial institution when accessing his or her account via a browser on a public use or other PC that is not known to be protected by the invention. Examples of such PCs might be those available in airports, internet cafes, or hotel business centers.

A software program according to one embodiment of the invention is embedded in a microprocessor-readable storage medium and executable by a microprocessor to prevent software key logging. The software program comprises a module for inserting and executing predetermined software processes at a zero-ring level in an application programming interface ("API") stack of a browser. The software processes includes a process of detecting a browser form submission initiation call event at the zero-ring level; a process of intercepting data inputs keyed in by a user at the zero-ring level; and a process of (1) submitting the keyed-in data to a designated entity through the API stack while (2) clearing confidential data from intercepted data at the zero-ring level prior to a subsequent transmission, which does not contain the confidential data, in response to the software key logging through the API stack to an internet communication port. The browser may be Internet Explorer, and the form submission initiation call event takes a form of an onSubmit call or a BeforeNavigate call under Internet Explorer. The module for inserting may take a form of a global hook call.

The predetermined software processes may be integrated into a single browser-called code object. The predetermined software processes maybe contained in a form of a non-executable file. The predetermined software processes may be integrated into the browser, and the browser may be Internet Explorer.

The module may be embodied in an ActiveX object to operate within the Windows operating system, or embodied in a Browser Helper Object file to operate within the Mozilla Firefox browser. Alternatively, the module is embodied in a platform-independent object-oriented programming language used for writing applets downloaded from internet, and the cross platform programming language is Java.

The module may be initiated and called by a web site or a web page, or the module is called locally in conjunction with a specific web site or a web page. Alternatively, the module is downloaded in response to a web page after determining that the module is not present therein.

The module for inserting and executing the predetermined software processes is dynamically installed in a computer, a mobile communication device or a mobile internet device which is different from the computer, the mobile communication device or the mobile internet device the user keyed in the data for the first time, and automatically uninstalled therefrom the module after the user logs off the different computer, mobile communication device or mobile internet device.

The software program further comprises a module for detecting malicious behaviors of a known malware, and a module for removing the malware.

The process of intercepting also encrypts the data inputs keyed in by the user at the zero-ring level, and the module further includes a process of passing the encrypted data to a 3-ring level, and a process of decrypting data which passed via the 3-ring level. A software program according to another embodiment of the invention is embedded in a microprocessor-readable storage medium and executable by a microprocessor to prevent software key logging. The software program comprises: a module for inserting and executing predetermined software processes at a zero-ring level in an application programming interface ("API") stack of a browser. The software processes includes: a process of inserting an initial hook which works within the O-Ring level and prevents any other hooks from inserting at the O-Ring level; a process of detecting a browser form submission initiation call event at the zero-ring level; a process of intercepting and encrypting data inputs keyed in by a user at the zero-ring level; a process of passing the encrypted data to a 3-ring level where a hook inserted by a hook-based key logger; a process of decrypting data which passed via the 3-ring level; and a process of submitting the decrypted data to a designated entity through the API stack to an internet communication port.

A method for preventing software key logging executable by a microprocessor according to yet another embodiment of the invention, comprises: a step of inserting and executing by the microprocessor predetermined software processes at a zero-ring level in an application programming interface ("API") stack of a browser. The software processes includes: a process of detecting a browser form submission initiation call event at the zero-ring level; a process of intercepting data inputs keyed in by a user at the zero-ring level; and a process of (1) submitting the keyed-in data to a designated entity through the API stack while (2) clearing confidential data from intercepted data at the zero-ring level prior to a subsequent transmission, which does not contain the confidential data, in response to the software key logging through the API stack to an internet communication port.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram of the context of operation of embodiments of the present invention.

FlG. 2 is a diagram of the action of the embodiments of the present invention in defeating the operation of form grabbing key loggers.

FIG. 2A is a diagram of the actions of the embodiments of the present invention in defeating the action of hook-based key loggers. FIG. 3 shows block diagrams of the API stacks with and without keyloggers and with protection by the embodiments of the present invention.

FIG. 4 portrays the configuration of a system wherein servers at a financial institution communicate with multiple accountholder PCs for the distribution, update and authentication of software incorporating AKL functionality and other processes.

FlG. 5 portrays examples of internet forms commonly used by consumers and targeted by form-grabbing key loggers.

FIG. 6 is a diagram that illustrates the manner in which the invention functions to maintain its position in an APJ stack.

DETAILED DESCRIPTION OF INVENTION

This invention protects against malicious form-grabbing software and stops it from capturing passwords and other data. Initially, software in accordance with the present invention installs itself at the 0 ring level for all browser events within a stack. This ensures all instances of the web browser are protected. The software in accordance with the present invention installs itself to the stack last, to ensure it is called first to prevent any key logger logic from circumventing the protection. The software in accordance with the present invention is placement aware and renegotiates its location in the API stack to ensure there arc no other hooks that circumvent the protection at any time.

Figure 1 is an overview of the environment in which embodiments of the invention operate, and the generalized location of other components. At the Keyboard driver level (100) input is provided by a user, the AKL (105) functions at this level to protect the inputted keyboard data. The virtual keyboard (1 10) is the next step in the flow of inputted keyboard data, and is a common location for a key logger (115) to be present to intercept the inputted data. The operating system (120) receives the inputted keyboard data and passes the data to the application (130) being utilized by the user, which is a location keyloggers (135) also intercept inputted keyboard data. Finally, the application passes the inputted keyboard data to the internet web server (140) per the user request. As illustrated in Figure 2 software in accordance with the invention inserts itself in the API stack last, causing this software to be called first (S200). When a BeforeNavigate event is identified (S210), the software confirms its placement in the API stack (S215). When a form submission onSubmit event occurs (S230), the software identifies all forms on the called web page (S220). If forms arc present, the software connects to each form submission event (S222), the invention clears all form inputs marked with INPUT or PASSWORD (S224), and then the event handler clears all passwords (S226). The software provides the user inputted data through the OnSubmit event in due course to the designated receiving party, such as a bank (S240). The software also ensures all password forms fields arc cleared from the API chain (S235) and thus are unavailable to capture by form grabbing key loggers.

This embodiment of the invention affects the current BeforeNavigate event handler upon each IE event or the equivalent event handler in other types of browsers. The software then identifies all forms on the web page and in each form then clears the elements with the tag="INPUT" and type="PASSWORD" (S224). The password in each form is cleared per event by the software (S226).

Within the Microsoft IE family of browsers, the form element IHTMLFormElement has an OnSubmit event which is also called the BeforeNavigate event. When an IE document is completed, the software identifies all form submissions on the IE page (S220) and connects to their events (S222). When in the OnSubmit event all the form's data is already in Internet Explorer's Post or Get format (S230). The software clears all password fields related in the chain of passing this data from the browser to the target server (S235). The software clears the data commonly left in the OnSubmit event thereby preventing form grabbing key loggers from harvesting this data.

There are two types of hooks: thread-specific hooks and system-wide hooks. A thread specific hook is associated only with a particular thread, including any thread owned by the calling process. To associate the anti-key logger hook with other processes and threads, the present invention employs a system-wide hook. Each hook is associated with a hook procedure. This procedure is always called when a particular event occurs. For example, when there is an event associated with the mouse, this hook procedure is called. In Windows®, The hook is set by calling the function SetWindowsHookEx( ). The hook is later removed by calling UnhookWindowsHookEx( ). The invention protects itself at the 0-ring level by creating a wrapper by evoking SetWindowsHookEx(WH_KEYBOARD_LL, KeyboardProc, hlnst, 0) thereby initiating and maintaining the low global level system hook in the API stack. By continuously refreshing and monitoring this state we can thereby protect and identify any hook attempts from ring 3 and on protecting the 0 ring level. Any attempts to intercept the hook are then rejected and passed down the API chain.

Typical hook-based key loggers catch each character as it is pressed, while a form grabber connects to IE and browser events and in the BeforeNavigate event, when password fields are already filled, searches the password box on page and retrieves its text, including the full credential set.

As illustrated in Figure 2A, the initial hook placed by the present invention works within the 0-Ring level and the anti-form grabber code in the same instance (S260). Whereby the protection is called and placed (S262). If an unauthorized call is detected in ring 0, the call is discarded from the API stack (S270). The protection call continues by hooking its protection around the kernel keyboard driver (S274) where it intercepts keystroke interrupt requests and begins its encryption of the keystroke data (S276) received from the keyboard (S272). This data is then passed into the Ring 3 level, the Operating System (S280) then onto the intended application, typically a web browser (S282) whereby the keystrokes arc decrypted by the Browser helper object (S284) or other browser plug-in and presented to the web form for submission as normal via the Internet (S290) to the designated receiving entity (S292). Accordingly, the present invention prevents the action of hook-based software key loggers as well as form grabbing key loggers.

Referring to Figure 3, the first API stack, titled Typical Web Browser APT Stack, shows the zero ring hardware driver (300) interacting with the web browser (305) as the two sole objects in the API stack. The second API stack, labeled Web Browser API Stack with Keylogger, shows both the zero ring (300) and the web browser (305, with the keylogger (310) running between both objects in the API stack intercepting all keyboard input destined to the browser. The third API stack represents all the previous objects in the API stack, zero ring (300), keylogger (310), and web browser (305). Included in stack, in proper order, is the inclusion of the software which counters any keylogger in the API stack. Referring to Figure 4, in a preferred embodiment of the invention, the software containing anti-key logger functionality (420) is distributed by a financial institution (400) to thousands or millions of its customers which have online access to their accounts through browsers based on individual PCs or other computing devices (410).

Figure 5 is an example of a typical form used with a browser. Sensitive customer credentials and information are submitted through such forms to web sites of financial institutions in order to gain access to customer accounts. Such forms are also used to verify the identity of a customer and convey credit card or other payment data during an online purchase. Similar forms are used to gain access to web sites that may not involve financial accounts but which may contain confidential information including personally identifiable information, government records, health records, or other information that is private, proprietary or commercially sensitive.

Figure 6 illustrates the manner in which the invention functions to maintain its position in the API stack by illustration of its relation to kernel ring calls. The Ring 0 API is the level with the most privileges and interacts most directly with the physical hardware such as the CPU and memory (650). This is also known as the kernel level. Under the present invention, protection is inserted at this level (660) whereby the protection can determine if an unauthorized 0 ring call is being made (670) at which time it is bounced from the API chain. If no attempt is detected the calls are passed to Ring 3 (Software level) (680) at which time calls are passed to the browser (682). The browser handles requests or HTML post/get commands and credentials are passed to the beforeNavigate event (684) then on to the onSubmit event (686) whereby user credentials are sent over the internet (688) to the intended receiving entity (690).

While the foregoing description utilizes Internet Explorer® as an example, the invention is not limited to this browser but can be utilized with any internet browser, including but not limited to Firefox®, Safari® or Opera®. In summary, the following arc the steps in the operation of a preferred embodiment of the present invention:

• Set a hook at 0 ring in the API stack

• Pass data to DLL

• Detect any form submission event

• Allow form data submission

• Clear form data

The invention protects against at least the following threats:

• Window title enumeration using FindWindow()

• BHO or Firefox Browser Extension hooks

• LSP (Layered Service Provider)

• DDE (Dynamic Data Exchange) using WWW GetWindowlnfo topic

• OLE (Object Linking and Embedding) using IWebBrowser2

• Hooking (e.g. WinTnet HttpSendRequest, SetWindowsHookEx + WH GETMES S AGE/WH KE YBO ARD)

• Form grabber key loggers gathering browser location (current URL) by disabling the hook DdeConnectO with topic "WWW GetWindowTnfo".

The software modules or processes of the present invention can all be called in a single file object. The present invention can be integrated into the browser itself. Alternatively, the present invention can be invoked/downloaded by an individual web page or website. If a registered user try to initial the present invention forma different computer, the present invention will uninstall itself after operation in the different computer. The present invention can be a part of an enterprise implementation with a master server.

System And Method Implementation

The present invention can be applied to existing or evolving software operating systems and development tools such as Javascript, Ajax, Flash and RIA, for cross platform use or mobile applications. Each platform has a different operating system therefore has different call structures and API methods. The invention can be applied to different OS's by manipulating different calls as they apply to the different OS and those related calls. The foregoing description portrays various embodiments of the present invention along with examples of how the present invention may be implemented. These examples and embodiments should not be considered the only possible embodiments or implementations of the present invention. Further embodiments of present invention may involve the operation of a portable or wireless device, including implementation of the invention or portions of the invention in software operating on such a device, or firmware embedded in such a device or transmitted to the device from a remote system.

Portions of the present invention may be applied to general purpose or a specialized digital device, computer system, server, computer or microprocessor programmed according to the teachings of the present disclosure, as will be apparent to those skilled in the art of communication, computer and e-commerce. The microprocessor can be embedded in a computer, a mobile communication device or a mobile internet device. The mobile communication device may be a cellular phone, a radio phone, a satellite phone, or a smartphone. The mobile internet device may be a PDA, a handheld computer, a tablet computer, a laptop computer, or a notebook computer.

Appropriate software coding can readily be prepared by skilled programmers based on the teachings of the present disclosure, as will be apparent to those skilled in the software art. The invention may also be implemented by the preparation of application specific integrated circuits or by interconnecting an appropriate network of conventional component circuits, as will be readily apparent to those skilled in the art.

The present invention includes a computer program product which is embedded in a storage/recording medium (media) having instructions stored thercon/in which can be used to control, or cause, a microprocessor or a computer to perform any of the processes of the present invention. The storage medium can include, but is not limited to, any type of disk including floppy disks, mini disks (MD's), optical discs, DVD, CD-ROMS, micro-drive, and magneto-optical disks, ROMs, RAMs, EPROMs, EEPROMs, DRAMs, VRAMs, flash memory devices (including flash cards, USP drivers), magnetic or optical cards, nanosystems (including molecular memory ICs), RAID devices, remote data storage/archive/warehousing, or any type of media or device suitable for storing instructions and/or data. Stored on any one of the computer readable medium (media), the present invention includes software for controlling both the hardware of the general purpose/specialized computer or microprocessor, and for enabling the computer or microprocessor to interact with a human user or other mechanism utilizing the results of the present invention. Such software may include, but is not limited to, device drivers, operating systems, and user applications. Ultimately, such computer readable media further includes software for performing the present invention, as described above. Included in the programming (software) of the general/specialized computer or microprocessor are software modules for implementing the teachings of the present invention.

In conclusion, the present invention provides, among other things, a system and method for protecting against form-grabbing and other key loggers. Those skilled in the art can readily recognize that numerous variations and substitutions may be made in the invention, its use and its configuration to achieve substantially the same results as achieved by the embodiments described herein. Accordingly, there is no intention to limit the invention to the disclosed exemplary forms. Many variations, modifications and alternative constructions fall within the scope and spirit of the disclosed invention as expressed in the embodiments.

Claims

WHAT IS CLAIMED IS:
1. A software program embedded in a microprocessor-readable storage medium and executable by a microprocessor to prevent software key logging comprising: a module for inserting and executing predetermined software processes at a zero-ring level in an application programming interface ("APT") stack of a browser, said software processes including: a process of detecting a browser form submission initiation call event at the zero-ring level; a process of intercepting data inputs keyed in by a user at the zero-ring level; and a process of (1) submitting the keyed-in data to a designated entity through the API stack while (2) clearing confidential data from intercepted data at the zero-ring level prior to a subsequent transmission, which does not contain said confidential data, in response to the software key logging through the API stack to an internet communication port.
2. The software program according to claim 1, wherein the browser is Internet Explorer, and the form submission initiation call event takes a form of an onSubmit call or an BeforeNavigate call under Internet Explorer.
3. The software program according to claim 1 , wherein the module for inserting takes a form of a global hook call.
4. The software program according to claim 1 , wherein the predetermined software processes arc integrated into a single browser-called code object.
5. The software program according to claim 1 , wherein the predetermined software processes are contained in a form of an non-executable file.
6. The software program according to claim 1 , wherein the predetermined software processes are integrated into the browser.
7. The software program according to claim 6, wherein the browser is Internet Explorer.
8. The software program according to claim 1, wherein the module is embodied in an ActiveX object to operate within the Windows operating system.
9. The software program according to claim 1 , wherein the module is embodied in a Browser Helper Object file to operate within the Mozilla Firefox browser.
10. The software program according to claim 1, wherein the module is embodied in a platform-independent object-oriented programming language used for writing applets downloaded from internet.
11. The software program according to claim 10, wherein the cross platform programming language is Java.
12. The software program according to claim 1, wherein the module is implemented within a computer, a mobile communication device or a mobile internet device.
13. The software program according to claim 12, wherein the mobile communication device is a cellular phone, a radio phone, a satellite phone, or a smartphone.
14. The software program according to claim 12, wherein the mobile internet device is a PDA, a handheld computer, a tablet computer, a laptop computer, or a notebook computer.
15. The software program according to claim 12, wherein the module is deployed from a portable storage device when the portable storage device is connected to the computer, the mobile communication device or the mobile internet device.
16. The software program according to claim 15, wherein the portable storage device has a key-fob form.
17. The software program according to claim 16, wherein the portable storage device is a USB drive.
18. The software program according to claim 1 , wherein the module is initiated and called by a web site or a web page.
19. The software program according to claim 18, wherein the module is called locally in conjunction with a specific web site or a web page.
20. The software program according to claim 18, wherein the module is downloaded in response to a web page after determining that the module is not present therein.
21. The software program according to claim 1, wherein the module for inserting and executing the predetermined software processes is dynamically installed in a computer, a mobile communication device or a mobile internet device which is different from the computer, the mobile communication device or the mobile internet device the user keyed in the data for the first time, and automatically uninstalled therefrom the module after the user logs off the different computer, mobile communication device or mobile internet device.
22. The software program according to claim 1 , further comprising a module for detecting malicious behaviors of a known malware, and a module for removing said malware.
23. The software program according to claim 1 , wherein the process of intercepting also encrypts the data inputs keyed in by the user at the zero-ring level, and the module further includes a process of passing the encrypted data to a 3-ring level, and a process of decrypting data which passed via the 3-ring level.
24. A software program embedded in a microprocessor-readable storage medium and executable by a microprocessor to prevent software key logging comprising: a module for inserting and executing predetermined software processes at a zero-ring level in an application programming interface ("API") stack of a browser, said software processes including: a process of inserting an initial hook which works within the 0-Ring level and prevents any other hooks from inserting at the 0-Ring level; a process of detecting a browser form submission initiation call event at the zero-ring level; a process of intercepting and encrypting data inputs keyed in by a user at the zero-ring level; a process of passing the encrypted data to a 3 -ring level where a hook inserted by a hook-based key logger; a process of decrypting data which passed via the 3-ring level; and a process of submitting the decrypted data to a designated entity through the API stack to an internet communication port.
25. A method for preventing software key logging executable by a microprocessor, comprising: a step of inserting and executing by the microprocessor predetermined software processes at a zero-ring level in an application programming interface ("API") stack of a browser, said software processes including: a process of detecting a browser form submission initiation call event at the zero-ring level; a process of intercepting data inputs keyed in by a user at the zero-ring level; and a process of (1) submitting the keyed-in data to a designated entity through the API stack while (2) clearing confidential data from intercepted data at the zero-ring level prior to a subsequent transmission, which does not contain said confidential data, in response to the software key logging through the API stack to an internet communication port.
PCT/US2010/001199 2008-04-23 2010-04-22 System and method for protecting against malware utilizing key loggers WO2010123565A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US12/427,833 2009-04-22
US12/427,833 US8316445B2 (en) 2008-04-23 2009-04-22 System and method for protecting against malware utilizing key loggers

Publications (1)

Publication Number Publication Date
WO2010123565A1 true WO2010123565A1 (en) 2010-10-28

Family

ID=41216305

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2010/001199 WO2010123565A1 (en) 2008-04-23 2010-04-22 System and method for protecting against malware utilizing key loggers

Country Status (2)

Country Link
US (2) US8316445B2 (en)
WO (1) WO2010123565A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014145186A1 (en) * 2013-03-15 2014-09-18 Strikeforce Technologies, Inc. Methods and apparatus for securing user input in a mobile device
US9098704B2 (en) 2013-10-09 2015-08-04 Kaspersky Lab, Zao Method for function capture and maintaining parameter stack

Families Citing this family (23)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8291393B2 (en) * 2007-08-20 2012-10-16 International Business Machines Corporation Just-in-time compiler support for interruptible code
US9596250B2 (en) 2009-04-22 2017-03-14 Trusted Knight Corporation System and method for protecting against point of sale malware using memory scraping
US8935789B2 (en) * 2008-07-21 2015-01-13 Jayant Shukla Fixing computer files infected by virus and other malware
WO2010041257A1 (en) * 2008-10-10 2010-04-15 Safend Ltd. System and method for incapacitating a hardware keylogger
JP5405986B2 (en) * 2008-11-26 2014-02-05 パナソニック株式会社 The software updating system, the management apparatus, a recording medium and an integrated circuit
WO2010061561A1 (en) 2008-11-26 2010-06-03 パナソニック株式会社 Monitoring system, program-executing device, monitoring program, recording medium and integrated circuit
US10157280B2 (en) * 2009-09-23 2018-12-18 F5 Networks, Inc. System and method for identifying security breach attempts of a website
US8539583B2 (en) 2009-11-03 2013-09-17 Mcafee, Inc. Rollback feature
WO2012142263A2 (en) 2011-04-12 2012-10-18 Applied Science, Inc. Systems and methods for managing blood donations
US20120272059A1 (en) * 2011-04-20 2012-10-25 Varun Shetty System and method for secure exchange of information in a computer system
US9245118B2 (en) 2012-07-18 2016-01-26 Infosys Limited Methods for identifying key logging activities with a portable device and devices thereof
EP2690838A1 (en) * 2012-07-23 2014-01-29 Alcatel Lucent Authentification system preserving secret data confidentiality
US9754105B1 (en) * 2012-09-25 2017-09-05 Malwarebytes Corporation Preventing the successful exploitation of software application vulnerability for malicious purposes
US20140108939A1 (en) * 2012-10-15 2014-04-17 Nokia Corporation Method and apparatus for managing online content collections using a single programming tool
CN103020526B (en) * 2012-12-21 2016-04-13 北京奇虎科技有限公司 Proactively block malicious programs and methods and apparatus for client devices
WO2014185770A1 (en) * 2013-05-17 2014-11-20 Mimos Berhad Method and system for detecting keylogger
CN103389898A (en) * 2013-07-22 2013-11-13 深圳市金立通信设备有限公司 Method for managing mobile terminal software and mobile terminal
US9342687B2 (en) * 2014-08-07 2016-05-17 International Business Machines Corporation Detecting synthetic keystrokes
CN104539584B (en) * 2014-12-05 2018-01-19 北京奇虎科技有限公司 Browser-injection method, and the client device browser
US10289846B2 (en) * 2015-04-17 2019-05-14 Easy Solutions Enterprises Corp. Systems and methods for detecting and addressing remote access malware
CN106203118B (en) * 2016-07-13 2019-01-22 北京金山安全软件有限公司 Processing method, device and the electronic equipment of modification insertion label scintillation time
US10262134B2 (en) 2016-10-07 2019-04-16 International Business Machines Corporation Detection of key logging activity
FI20165817A (en) * 2016-10-31 2018-05-01 Jetico Inc Oy Method for computer-aided operational

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060036731A1 (en) * 2004-08-16 2006-02-16 Mossman Associates Novel method and system of keyless data entry and navigation in an online user interface console for preventing unauthorized data capture by stealth key logging spy programs
US20060206943A1 (en) * 2000-03-31 2006-09-14 Ellison Carl M Protecting software environment in isolated execution
US20070240212A1 (en) * 2006-03-30 2007-10-11 Check Point Software Technologies, Inc. System and Methodology Protecting Against Key Logger Spyware
US20070250927A1 (en) * 2006-04-21 2007-10-25 Wintutis, Inc. Application protection
US20080189790A1 (en) * 2005-10-12 2008-08-07 Ahn Lab, Inc. Method For Preventing Key Logger From Hacking Data Typed on Keyboard Through Autorization of Keyboard Data
US20080263672A1 (en) * 2007-04-18 2008-10-23 Hewlett-Packard Development Company L.P. Protecting sensitive data intended for a remote application
US20080274716A1 (en) * 2007-05-01 2008-11-06 Qualcomm Incorporated Application logging interface for a mobile device
US20090077383A1 (en) * 2007-08-06 2009-03-19 De Monseignat Bernard System and method for authentication, data transfer, and protection against phishing

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006014554A2 (en) * 2004-07-07 2006-02-09 University Of Maryland Method and system for monitoring system memory integrity
US20060253582A1 (en) * 2005-05-03 2006-11-09 Dixon Christopher J Indicating website reputations within search results
US8566608B2 (en) * 2006-02-02 2013-10-22 Strikeforce Technologies, Inc. Methods and apparatus for securing keystrokes from being intercepted between the keyboard and a browser
US20080016339A1 (en) * 2006-06-29 2008-01-17 Jayant Shukla Application Sandbox to Detect, Remove, and Prevent Malware

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060206943A1 (en) * 2000-03-31 2006-09-14 Ellison Carl M Protecting software environment in isolated execution
US20060036731A1 (en) * 2004-08-16 2006-02-16 Mossman Associates Novel method and system of keyless data entry and navigation in an online user interface console for preventing unauthorized data capture by stealth key logging spy programs
US20080189790A1 (en) * 2005-10-12 2008-08-07 Ahn Lab, Inc. Method For Preventing Key Logger From Hacking Data Typed on Keyboard Through Autorization of Keyboard Data
US20070240212A1 (en) * 2006-03-30 2007-10-11 Check Point Software Technologies, Inc. System and Methodology Protecting Against Key Logger Spyware
US20070250927A1 (en) * 2006-04-21 2007-10-25 Wintutis, Inc. Application protection
US20080263672A1 (en) * 2007-04-18 2008-10-23 Hewlett-Packard Development Company L.P. Protecting sensitive data intended for a remote application
US20080274716A1 (en) * 2007-05-01 2008-11-06 Qualcomm Incorporated Application logging interface for a mobile device
US20090077383A1 (en) * 2007-08-06 2009-03-19 De Monseignat Bernard System and method for authentication, data transfer, and protection against phishing

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014145186A1 (en) * 2013-03-15 2014-09-18 Strikeforce Technologies, Inc. Methods and apparatus for securing user input in a mobile device
US9098704B2 (en) 2013-10-09 2015-08-04 Kaspersky Lab, Zao Method for function capture and maintaining parameter stack

Also Published As

Publication number Publication date
US20090271866A1 (en) 2009-10-29
US20130061323A1 (en) 2013-03-07
US8316445B2 (en) 2012-11-20

Similar Documents

Publication Publication Date Title
Chen et al. Non-Control-Data Attacks Are Realistic Threats.
US9213836B2 (en) System and method for comprehensive general electric protection for computers against malicious programs that may steal information and/or cause damages
US7587724B2 (en) Kernel validation layer
US8495743B2 (en) Methods and apparatus providing automatic signature generation and enforcement
Lu et al. Blade: an attack-agnostic approach for preventing drive-by malware infections
Seo et al. Detecting mobile malware threats to homeland security through static analysis
USRE43103E1 (en) System and method for protecting a computer system from malicious software
US20080028464A1 (en) Systems and Methods for Data Processing Anomaly Prevention and Detection
US8918865B2 (en) System and method for protecting data accessed through a network connection
US7743260B2 (en) Firewall+storage apparatus, method and system
US20070250927A1 (en) Application protection
Kharraz et al. Cutting the gordian knot: A look under the hood of ransomware attacks
US20090165132A1 (en) System and method for security agent monitoring and protection
US20040034794A1 (en) System and method for comprehensive general generic protection for computers against malicious programs that may steal information and/or cause damages
US8782404B2 (en) System and method of providing trusted, secure, and verifiable operating environment
US8225404B2 (en) Trusted secure desktop
US8370899B2 (en) Disposable browser for commercial banking
US7509679B2 (en) Method, system and computer program product for security in a global computer network transaction
US9092823B2 (en) Internet fraud prevention
US9317701B2 (en) Security methods and systems
US9396326B2 (en) User transparent virtualization method for protecting computer programs and data from hostile code
Wang et al. Unauthorized origin crossing on mobile platforms: Threats and mitigation
WO2013158789A1 (en) Detection and prevention of installation of malicious mobile applications
WO2013126259A1 (en) Off-device anti-malware protection for mobile devices
US20070240212A1 (en) System and Methodology Protecting Against Key Logger Spyware

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10767430

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10767430

Country of ref document: EP

Kind code of ref document: A1